CN114861160A - Method, device, equipment and storage medium for improving non-administrator account authority - Google Patents
Method, device, equipment and storage medium for improving non-administrator account authority Download PDFInfo
- Publication number
- CN114861160A CN114861160A CN202210400321.5A CN202210400321A CN114861160A CN 114861160 A CN114861160 A CN 114861160A CN 202210400321 A CN202210400321 A CN 202210400321A CN 114861160 A CN114861160 A CN 114861160A
- Authority
- CN
- China
- Prior art keywords
- program
- desktop agent
- information
- system management
- desktop
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Stored Programmes (AREA)
Abstract
The invention is suitable for the technical field of computers, and provides a method for improving the account authority of a non-administrator, which comprises the following steps: operating the desktop agent program with the system management authority; the desktop agent program acquires the information of the travel to be transported; the desktop agent program matches the information of the to-be-transported process with a program white list; if the matching is successful, the desktop agent program creates a process to be operated; and if the matching fails, re-executing the step of operating the desktop agent program with the system management authority. Through the scheme, the technical problem that in a specific scene, a standard user cannot obtain administrator authority, so that work cannot be promoted can be solved.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a method, a device, equipment and a storage medium for improving non-administrator account authority.
Background
The Windows family of operating systems is introduced by microsoft corporation and is currently one of the mainstream desktop operating systems. Microsoft has adopted a User Account Control (UAC) mechanism in an operating system behind the Windows Vista version to help prevent malicious programs from damaging the system and also help deploy an easily managed platform. The UAC is mainly used to distinguish a standard user and an administrator user of a system, and when a certain program is installed or run and administrator rights are required, a UAC prompt box is popped up to require an administrator credential to be provided by a person currently using a computer, so that the installation and the running of the program can be realized.
Under the specific actual scene of some enterprise departments, employees log in a Windows operating system with standard user authority and belong to a limited account, installation programs or running some programs all need administrator authority, and administrator certification verification is carried out through a UAC prompt box to obtain the authority so as to complete the operation. The credential is the administrator account and password. However, the administrator credentials are held and responsible by the department administrator and cannot be directly granted to the staff, so that the credential verification operation can only be performed by the administrator inputting the account password to the field to complete the related tasks requiring the authority on the target computer, the process is very complicated and low in efficiency, and certain threat is caused to the security of the administrator password. And related operations can be hardly completed during the travel of the staff.
Some applications can use Administrator rights by bypassing the UAC by using a task planning program and a tool Application Compatibility Toolkit (ACT) provided by microsoft, but the current Windows corresponding version system also has a Bypass method of bypassing the UAC by Bypass, but the current login account of the applications needs to be an Administrator, and the current login account of the system is a standard user, so that Administrator rights (Administrator rights) cannot be obtained.
Under the condition that the UAC is opened by the Window system, at present, no method for enabling a standard user to obtain the system management authority without passing the verification of administrator credentials exists at home and abroad. Therefore, how to enable a standard user under Windows to obtain administrator rights without verifying credentials, complete the tasks of program installation and certain programs requiring high system rights, effectively control the utilization of the rights, and ensure the security of the system becomes a problem to be solved urgently.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for improving the non-administrator account permission, and can solve the technical problem that in a specific scene, a standard user cannot obtain the administrator permission, so that work cannot be promoted.
In a first aspect, an embodiment of the present invention provides a method for improving non-administrator account permissions, including:
operating the desktop agent program with the system management authority;
the desktop agent program acquires the information of the travel to be transported;
the desktop agent program matches the information of the to-be-transported process with a program white list;
if the matching is successful, the desktop agent program creates a process to be operated;
and if the matching fails, re-executing the step of operating the desktop agent program with the system management authority.
In a possible implementation manner of the first aspect, the step of running the desktop agent with the system management authority includes:
acquiring a starting-up instruction;
starting a Windows service program according to the starting instruction;
and the Windows service program starts the desktop agent program with the system management authority.
In a possible implementation manner of the first aspect, the step of starting the desktop agent by the Windows service program with the system management authority is:
calling a function for acquiring a current HANDLE to acquire the HANDLE of the current service process;
determining a system management authority token of the service process according to the handle and the process access function;
calling a token copying function to create a new token to copy the system management authority token of the service process;
calling a session ID acquisition function to acquire a session ID of a user desktop process;
and calling a process creation function and creating a desktop agent process with system management authority according to the HANDLE HANDLE, the system management authority token and the session ID.
In a possible implementation manner of the first aspect, the program white list is constructed in a manner that:
acquiring an executable file of a trusted installation program or an application program;
calculating the installation programs or the executable files according to a front-end encryption algorithm to determine a first hash value corresponding to each installation program or each executable file;
and storing each first hash value as a program white list.
In a possible implementation manner of the first aspect, the step of matching, by the desktop agent, the to-be-run process information with a program white list includes:
acquiring the information of the travel to be transported;
calculating a second hash value corresponding to the to-be-transported travel information according to the to-be-transported travel information and a hash function;
and matching the second hash value of the information of the travel to be transported with the first hash value in the program white list.
In a possible implementation manner of the first aspect, after the running the desktop agent with the system management authority, the method further includes:
filtering out the to-be-run process which is started by the desktop agent program and has system management authority;
storing the behavior information of the process to be run as behavior log information;
sending the behavior log information to the desktop agent program;
and the desktop agent program uploads the behavior log information to a server for storage.
In a possible implementation manner of the first aspect, the behavior log information includes a process PID, a process name, a host name (Windows current login user name), a process behavior (process creation and exit, registry operation), and a creation time (i.e. a time when a corresponding behavior occurs).
In a second aspect, an embodiment of the present invention provides an apparatus for promoting non-administrator account permissions, including:
the execution module runs the desktop agent program with the system management authority;
the information acquisition module is used for acquiring the information of the to-be-transported process by the desktop agent program;
the control module is used for matching the information of the progress to be transported with a program white list by the desktop agent program; if the matching is successful, the desktop agent program creates a process to be operated; and if the matching fails, re-executing the step of operating the desktop agent program with the system management authority.
In a third aspect, an embodiment of the present invention provides an apparatus, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor, when executing the computer program, implements the method for raising non-administrator account permissions as described above.
In a fourth aspect, an embodiment of the present invention provides a storage medium, where the storage medium stores a computer program, and the computer program, when executed by a processor, implements the method for promoting non-administrator account permissions as described above.
It is understood that the beneficial effects of the second aspect to the fifth aspect can be referred to the related description of the first aspect, and are not described herein again.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
according to the method, when a common user right logs in the system, the information of the to-be-transported process is obtained through the desktop agent program, so that the information of the to-be-transported process can be matched with the program white list; and when the matching is successful, the desktop agent program creates the process to be run, so that the process to be run can be created through the desktop agent program, and a manager does not need to acquire credential verification to acquire system management authority. The technical problem that in a specific scene, a standard user cannot obtain administrator authority, so that work cannot be promoted is solved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a flowchart illustrating a method for promoting non-administrator account permissions according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for promoting non-administrator account permissions according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for promoting non-administrator account permissions according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for promoting non-administrator account permissions according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a method for promoting non-administrator account permissions according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of an apparatus for increasing non-administrator account permissions according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus provided in an embodiment of the present invention.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to" determining "or" in response to detecting ". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
Furthermore, in the description of the present invention and the appended claims, the terms "first," "second," "third," and the like are used for distinguishing between descriptions and not necessarily for describing or implying relative importance.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present invention. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
The method for promoting the non-administrator account authority provided by the embodiment of the invention can be applied to a tablet personal computer, a notebook computer, a super-mobile personal computer (UMPC), a netbook, a Personal Digital Assistant (PDA) and other devices which can be provided with a Windows system, and the embodiment of the invention does not limit the specific type of the devices at all.
In one embodiment, as shown in fig. 1, a method for promoting non-administrator account permissions includes:
s1, operating the desktop agent program with the system management authority;
the system management authority is actually the highest user authority of a computer and the like, the operation and installation of all storage devices and software in the computer and the basic setting of the software can be modified and set, in many pieces of software, in order to ensure the executability of all functions during installation, the installation needs to be carried out with the system management authority, but in many companies, the authority in the computer needs to be limited layer by layer due to the requirements of confidentiality and company network security, so that many users do not have the system management authority and can only log in own standard user accounts for operation. And the desktop agent is actually a code for executing a predetermined operation flow.
S2, the desktop agent program acquires information of a to-be-transported process;
the desktop agent program can acquire the information of the to-be-transported process in real time through a desktop interaction process, and at the moment, the information of the to-be-transported process is an application program or an executable file of an installation program.
S3, the desktop agent program matches the information of the progress to be carried with a program white list;
and when the matching is actually the matching of the characteristics of the information of the to-be-carried travel and the characteristics in the program white list, the matching is confirmed to be successful. Then when the two are not the same, the confirmation of the match fails.
S4, if the matching is successful, the desktop agent program creates a process to be run;
and S5, if the matching fails, re-executing the step of operating the desktop agent program with the system management authority.
According to the method, when a common user right logs in the system, the information of the to-be-transported process is obtained through the desktop agent program, so that the information of the to-be-transported process can be matched with the program white list; and when the matching is successful, the desktop agent program creates the process to be run, so that the process to be run can be created through the desktop agent program, and a manager does not need to obtain credential verification so as to obtain system management authority. The technical problem that in a specific scene, a standard user cannot obtain administrator authority, so that work cannot be promoted is solved. And the safety of the system management authority utilization of the Windows system and the safety of the administrator credentials are improved on the basis of improving the working efficiency and simplifying the business process.
The embodiment of the invention enables standard users (namely users without system management authority) logging in the Windows operating system in corresponding scenes to directly acquire the system management authority of the Windows system without certification verification so as to finish installation and running of corresponding programs, prevents authority abuse in a program white list verification mode, and monitors the authority utilization condition in a mode of monitoring the authority-raising process behavior by kernel driving, so that the utilization of the authority is transparent to a system administrator, and the safety of the whole system is more improved. The invention can ensure that a standard user under a Windows system can obtain the high authority of the system without certification verification, complete program installation and certain tasks needing high authority program operation, does not need the participation of a PC (personal computer) manager, improves the working efficiency and protects the account and password certification of the manager to a certain extent.
In one possible implementation, as shown in fig. 2, the step of running the desktop agent with the system management authority includes:
s11, acquiring a starting instruction;
the starting-up instruction is a starting-up instruction of the computer or other personal equipment and is used for waking up and starting up the computer or other personal equipment.
S12, starting a Windows service program according to the starting instruction;
among them, the Windows service program is also a Windows system in general.
And S13, the Windows service program starts the desktop agent program with the system management authority.
By the scheme, the service can be configured in the installation process of the desktop agent program, and the desktop agent program is set to be started up automatically by setting the working logic. The desktop Agent (Agent client) is self-started with a System management authority (System authority) through the Windows service program, and the desktop Agent (desktop application process Agent) capable of interacting with a user is created. And a sub-thread is used for protecting the desktop Agent program (Agent process) in the desktop Agent program (Windows service AgentService), once the desktop Agent program (Agent process) is terminated, the computer can only be restarted to obtain the System management authority (System authority), the sub-thread monitors the desktop Agent program (Agent process), circularly detects whether a handle of the desktop Agent program (Agent process) exists, blocks circulation if the handle exists, and restarts the desktop Agent program (Agent process) if the handle does not exist.
Based on the above embodiment, the Windows service program can be set to boot self-start when installed, and the desktop agent program is started by the service program with the system management authority when the computer is booted, so that the basis of the application program for privilege escalation is completed. And only once starting can be carried out during starting, and when a blocking cycle exists, the system management authority can be obtained again only by restarting the starting instruction, and then the desktop agent program is started by the system management authority, so that the running safety is fully ensured.
In one possible implementation manner, as shown in fig. 3, the step of starting the desktop agent by the Windows service program with the system management authority is as follows:
s131, calling a function for acquiring a current HANDLE to acquire the HANDLE of the current service process;
in the Windows service process, a HANDLE HANDLE of the current service process is obtained by calling a function for obtaining the current HANDLE, the HANDLE of the process is based on a specific process, the HANDLE is actually a pointer, and for the same process object, the HANDLE points to a memory containing specific information data and can be used as an index.
It should be noted that the function of obtaining the current handle may be implemented by using a GetCurrentProcess function.
S132, determining a system management authority token of the service process according to the handle and the process access token function;
the calling process access Token function obtains the authority Token of the service process, namely the system management authority Token, by means of the obtained handle, and the access Token is a protected object and contains identification and privilege information related to the user account. When a user logs in a windows computer, the login process can verify the login credentials of the user. After success, the login process returns a SID (security identifier) of the corresponding user and a list of security group SIDs of the user.
It should be noted that the process access token function may be implemented by using an OpenProcessToken function.
S133, calling a token copying function to create a new token to copy the system management authority token of the service process;
it should be noted that the token copy function can be implemented by using a DuplicateTokenEx function.
S134, calling a session ID acquisition function to acquire a session ID of the user desktop process;
the session ID obtaining function obtains the session ID of the desktop process of the user, and is used for starting the desktop UI process, declaring the variable of the STARTUPINFO structural body, setting the session ID, displaying the session ID in a mode of creating the process, retrieving the environment variable of the specified Windows login user, and calling the CreateEnviromentBlock function to create the environment block.
It should be noted that the session ID obtaining function may be implemented by using a wtsgetateconcosessionid function.
S135, calling a process creating function and creating a desktop agent process with system management authority according to the HANDLE HANDLE, the authority Token and the session ID.
It should be noted that the process creation function may be implemented by using a createprocesssas user function.
In the above embodiment, a process creation function is called to create a desktop agent process with SYSTEM authority according to the previously acquired related information;
the createprocessauser function parameters are as follows:
wherein hToken represents the authority Token handle Token of the process, lpApplicationName represents the name of the process to be started, namely, the desktop agent. lpenenvironment points to the pointer of the environment block of the new process, namely the environment block handle created above; lpStartupInfo points to the pointer of the start information structure, i.e., the above-mentioned startupfo structure variable; dwCreationFlag is assigned NORMAL _ PRIORITY _ CLASS | CREATE _ NEW _ condition | CREATE _ unique _ entry.
In a possible implementation manner, the program white list is constructed in the following manner:
acquiring an executable file of a trusted installation program or an application program;
a background administrator of the server selects executable files of a trusted installation program or application program in a local file directory system, such as a.msi installation program file and a.exe executable file.
Calculating the installation programs or the executable files according to a front-end encryption algorithm to determine a first hash value corresponding to each installation program or each executable file;
the library function for calculating the value of the file SHA1 realized by the JavaScript at the front end of the Web calculates the Hash value, namely the first Hash value. The front-end encryption algorithm may be set by the user, or may be selected from the prior art.
And storing each first hash value as a program white list.
In the above embodiment, the first hash value is stored as a program white list to form a program white list, and the program white list can also be uploaded to a server and stored in a database for backup. Based on the above, the technical problem that in a specific scene, a standard user cannot obtain administrator authority, so that work cannot be promoted can be solved. The working efficiency can be improved, and the safety of system management permission utilization and the safety of administrator credentials of the Windows system are improved on the basis of simplifying the business process.
It should be emphasized that the present invention enables a standard user of a Windows SYSTEM to obtain SYSTEM authority of the SYSTEM, so that security is particularly important, and programs included in a white list are all trusted programs.
In a possible implementation manner, referring to fig. 4, the step of matching, by the desktop agent, the to-be-run process information with a program white list includes:
s31, acquiring the information of the travel to be transported;
the desktop Agent (Agent) receives user input, and the user provides information of a to-be-run process, such as a full path of an application executable file (e.g., exe file), to the desktop Agent and selects to run the process.
S32, calculating a second hash value corresponding to the to-be-transported distance information according to the to-be-transported distance information and a hash function;
and calculating a second hash value corresponding to the process information to be run, such as an executable file, by using a hash function.
And S33, matching the second hash value of the information of the to-be-transported process with the first hash value in the program white list.
And then communicating with a server through an Http protocol, the server accessing a database to inquire whether a second hash value is in the program white list, that is, whether the second hash value has a first hash value matched with the second hash value, if not, the information of the process to be run is not in the program white list, and if the first hash value matched with the second hash value exists, the desktop agent creates an application program process of the information of the process to be run, and the process inherits the system management authority of the desktop agent.
In this embodiment, the application currently selected by the user is run by calling the Windows system API function CreateProcess. The CreateProcess function parameters are as follows:
the method comprises the steps of declaring two empty structures, namely a STARTUPINFO structure for determining how a main form of a new PROCESS is displayed and a PROCESS _ INFORMATION structure for receiving identification INFORMATION of the new PROCESS, assigning a command line parameter lpCommmandeLine as a path of a program executable file to be proposed to run, and setting the rest as default values to realize the creation of the new PROCESS.
In the embodiment, the control of the permission use range is enhanced by a program white list verification mode, and the threat of malicious permission utilization to the Windows system is prevented.
In a possible implementation manner, as shown in fig. 5, after the running the desktop agent with the system management authority, the method further includes:
s6, filtering the to-be-run process which is started by the desktop agent program and has system management authority;
the desktop Agent (Agent) starts a SYSTEM management authority (SYSTEM authority) process, the kernel layer monitors event messages, and the behavior of the SYSTEM authority process started by the desktop Agent is filtered according to the process name and the logic relationship between a parent process and a child process. If the process name of the desktop agent is agent.exe, for a newly created process, the process name of the parent process is agent.exe. And filtering the behavior information of the privilege offering process into the process to be run with the system management privilege.
S7, storing the behavior information of the process to be run as behavior log information;
the behavior information of the process to be run, namely the behavior information of the privilege-raising process is filtered and temporarily recorded into a buffer area, and is stored as behavior log information.
S8, sending the behavior log information to the desktop agent program;
and based on the communication technology of the kernel layer and the application layer, the process behavior log information is sent to the desktop Agent program Agent.
And S9, the desktop agent program uploads the behavior log information to a server for storage.
And the desktop agent program uploads the log information to the server and stores the log information in the relational database.
By the scheme, the behavior of the process for improving the authority of the process to be operated can be monitored, so that the authority utilization information of the user is monitored by management personnel.
Furthermore, the creation and exit of the privilege escalation process and the operation of the privilege escalation process on the registry are mainly monitored;
specifically, the creation and exit of a process is monitored by using the PsSetCreateProcessNotifyRouteeEx kernel function and declaring a callback function as follows:
the parameter notifyRouteine points to a registered or deleted pointer of the PCREATE _ PROCESS _ NOTIFY _ ROUTINE _ EX ROUTINE, and when a new PROCESS is created, an operating system calls the ROUTINE; the parameter Remove specifies whether PsSetCreateProcessNotifyRouteeEx will add or delete the specified routine from the callback routine list. If the parameter is TRUE, the specified routine is removed from the callback routine list. If this parameter is FALSE, the specified routine is added to the callback routine list.
In this embodiment, NotifyRoutine points to a defined callback function, a Remove parameter is set to FALSE when the monitoring process is created, and a Remove parameter is set to TRUE when the monitoring process exits. And storing the process behavior information into the extended structure to be transmitted to the application layer.
In the callback function, a parent process ID of the currently created process is obtained by calling a PsGetProcessInheritedFromUniqueProcessId function, a PEPROCESS structure is obtained according to the parent process PID by calling a PsLookupProcessByProcessId function, and then a PsGetProcessImageFileName function is called to read the process name of the parent process. And if the parent process name is agent.
A callback function is set using the CmRegisterCallback kernel function to monitor the operations performed by the process on the registry. The function is as follows:
the parameter Function points to the pointer of the registraticallback routine, i.e. the Function address of the callback; the parameter Cookie points to a pointer to the LARGE _ INTEREGER variable that receives a value identifying the callback routine.
In this embodiment, the parent process information of the current process is obtained in the above manner, whether the parent process name is agent. Specifically, a registry path is acquired by calling a GetRegisterObjectCompletePath function, and information is written into a memory in a character string form.
For the process creation and exit written in the memory and the registry operation information, when a corresponding event occurs, the content is sent to the memory buffer area through an IRP request, an application layer, namely agent.exe, is informed to read, and a monitoring thread is maintained in the agent.exe to communicate with a kernel layer.
Specifically, after the driver obtains the monitoring information, a request is sent to the application layer through the KeSetEvent function. And registering a DEVICE communication function DriveDfaceFilter handle in a drive inlet, executing the function when the driver receives an IRP _ MJ _ DEVICE _ CONTROL request, writing monitoring information into the IRP by the function, and returning an IRP message to an application layer.
Reading information by calling a CreateFile function at an application layer, generating an IRP of an IRP _ MJ _ CREATE type through an I/O manager when the function is called, finding a corresponding drive according to a device to which the function aims, calling a corresponding processing function in the drive, returning a value returned in the processing function to the I/O manager, returning the value to an API of the application layer through the I/O manager, and continuously waiting for an event notification of a kernel layer ring0 by an application layer thread through a WaitForSingleObject function in a while loop. And directly sending the control code to a specified device driver through the DeviceIoControl, so that the device executes corresponding operation to complete the communication between the kernel driver and the application layer process.
And the thread of the application layer agent.exe converts the information into data in a Json format, adds a user name of a currently logged Windows system into the information, and uploads the information to a server to be stored as process behavior log information.
Optionally, the behavior log information includes a process PID, a process name, a host name (Windows current login user name), a process behavior (process creation and exit, registry operation), and a creation time (i.e. a time when a corresponding behavior occurs).
The present invention further provides a device for promoting non-administrator account permissions, which is shown in fig. 6 and includes:
the execution module runs the desktop agent program with the system management authority;
the information acquisition module is used for acquiring the information of the to-be-transported process by the desktop agent program;
the control module is used for matching the information of the progress to be transported with a program white list by the desktop agent program; if the matching is successful, the desktop agent program creates a process to be operated; and if the matching fails, re-executing the step of operating the desktop agent program with the system management authority.
Optionally, the information obtaining module is further configured to obtain a boot start instruction;
the execution module starts a Windows service program according to the starting instruction; and the Windows service program starts the desktop agent program with the system management authority.
Optionally, the control module is further configured to call an acquire current HANDLE function to acquire a HANDLE of the current service process; determining a system management authority token of the service process according to the handle and the process access function; calling a token copying function to create a new token to copy the system management authority token of the service process; calling a session ID acquisition function to acquire a session ID of a user desktop process; and calling a process creation function and creating a desktop agent process with system management authority according to the HANDLE HANDLE, the system management authority token and the session ID.
Optionally, the control module is further configured to obtain an executable file of a trusted installer or an application; calculating the installation programs or the executable files according to a front-end encryption algorithm to determine a first hash value corresponding to each installation program or each executable file; and storing each first hash value as a program white list.
Optionally, the control module is further configured to obtain the to-be-transported travel information; calculating a second hash value corresponding to the to-be-transported travel information according to the to-be-transported travel information and a hash function; and matching the second hash value of the information of the to-be-transported process with the first hash value in the program white list.
Optionally, the control module is further configured to filter out the to-be-run processes started by the desktop agent and having system management permissions;
storing the behavior information of the process to be run as behavior log information;
sending the behavior log information to the desktop agent program;
and the desktop agent program uploads the behavior log information to a server for storage.
According to the method, when a common user right logs in the system, the information of the to-be-transported process is obtained through the desktop agent program, so that the information of the to-be-transported process can be matched with the program white list; and when the matching is successful, the desktop agent program creates the process to be run, so that the process to be run can be created through the desktop agent program, and a manager does not need to obtain credential verification so as to obtain system management authority. The technical problem that in a specific scene, a standard user cannot obtain administrator authority, so that work cannot be promoted is solved. And the safety of the system management authority utilization of the Windows system and the safety of the administrator credentials are improved on the basis of improving the working efficiency and simplifying the business process.
The embodiment of the invention enables standard users (namely users without system management authority) logging in the Windows operating system in corresponding scenes to directly acquire the system management authority of the Windows system without certification verification so as to finish installation and running of corresponding programs, prevents authority abuse in a program white list verification mode, and monitors the authority utilization condition in a mode of monitoring the authority-raising process behavior by kernel driving, so that the utilization of the authority is transparent to a system administrator, and the safety of the whole system is more improved. The invention can ensure that a standard user under a Windows system can obtain the high authority of the system without certification verification, complete program installation and certain tasks needing high authority program operation, does not need the participation of a PC (personal computer) manager, improves the working efficiency and protects the account and password certification of the manager to a certain extent.
The invention also proposes a device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the method of raising non-administrator account permissions as described above when executing the computer program.
It should be noted that, because the device of the present invention includes all the steps of the method for promoting the non-administrator account permission, the device may also implement all the schemes of the method for promoting the non-administrator account permission, and has the same beneficial effects, and details are not described herein again.
The present invention also proposes a storage medium storing a computer program which, when executed by a processor, implements the method of promoting non-administrator account permissions as described above.
It should be noted that, because the storage medium of the present invention includes all the steps of the method for promoting the non-administrator account permission, the storage medium may also implement all schemes of the method for promoting the non-administrator account permission, and has the same beneficial effects, and details are not described herein again.
Fig. 7 is a schematic structural diagram of an apparatus/device for promoting non-administrator account permissions according to an embodiment of the present invention. As shown in fig. 7, the apparatus/device 6 for promoting non-administrator account authority according to this embodiment includes: at least one processor 60 (only one shown in fig. 6), a memory 61, and a computer program 62 stored in the memory 61 and operable on the at least one processor 60, wherein the processor 60 executes the computer program 62 to implement the steps of any of the various above-described method embodiments of promoting non-administrator account privileges.
The device/apparatus 6 for promoting the non-administrator account authority may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The means/apparatus for promoting non-administrator account privileges may include, but is not limited to, a processor 60, a memory 61. It will be understood by those skilled in the art that fig. 7 is merely an example of the apparatus/device 6 for promoting non-administrator account rights, and does not constitute a limitation of the apparatus/device 6 for promoting non-administrator account rights, and may include more or less components than those shown, or combine some components, or different components, such as input and output devices, network access devices, and the like.
The Processor 60 may be a Central Processing Unit (CPU), and the Processor 60 may be other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The storage 61 may be an internal storage unit of the apparatus/device 6 for promoting the non-administrator account authority in some embodiments, for example, a hard disk or a memory of the apparatus/device 6 for promoting the non-administrator account authority. The memory 61 may also be an external storage device of the apparatus/device 6 for promoting the non-administrator account authority in other embodiments, for example, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like provided on the apparatus/device 6 for promoting the non-administrator account authority. Further, the memory 61 may also include both an internal storage unit and an external storage device of the apparatus/device 6 for promoting non-administrator account rights. The memory 61 is used for storing an operating system, an application program, a BootLoader (BootLoader), data, and other programs, such as program codes of the computer program. The memory 61 may also be used to temporarily store data that has been output or is to be output.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by functions and internal logic of the process, and should not limit the implementation process of the embodiments of the present invention in any way.
It should be noted that, because the contents of information interaction, execution process, and the like between the above-mentioned apparatuses/units are based on the same concept as the method embodiment of the present invention, specific functions and technical effects thereof can be referred to specifically in the method embodiment section, and are not described herein again.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
An embodiment of the present invention further provides a network device, where the network device includes: at least one processor, a memory, and a computer program stored in the memory and executable on the at least one processor, the processor implementing the steps of any of the various method embodiments described above when executing the computer program.
The embodiment of the present invention further provides a storage medium, where the storage medium stores a computer program, and the computer program, when executed by a processor, implements the steps that can be implemented in the above method embodiments.
Embodiments of the present invention provide a computer program product, which, when running on a mobile terminal, enables the mobile terminal to implement the steps in the above method embodiments when executed.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may be implemented by a computer program, which may be stored in a storage medium and executed by a processor, to instruct related hardware to implement the steps of the embodiments of the method. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing apparatus/device, recording medium, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, and software distribution medium. Such as a usb-disk, a removable hard disk, a magnetic or optical disk, etc. In certain jurisdictions, computer-readable media may not be an electrical carrier signal or a telecommunications signal in accordance with legislative and patent practice.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/network device and method may be implemented in other ways. For example, the above-described apparatus/network device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein.
Claims (10)
1. A method for promoting non-administrator account permissions, comprising:
operating the desktop agent program with the system management authority;
the desktop agent program acquires the information of the travel to be transported;
the desktop agent program matches the information of the to-be-transported process with a program white list;
if the matching is successful, the desktop agent program creates a process to be operated;
and if the matching fails, re-executing the step of operating the desktop agent program with the system management authority.
2. The method of promoting non-administrator account privileges of claim 1, wherein said step of running a desktop agent with system management privileges comprises:
acquiring a starting-up instruction;
starting a Windows service program according to the starting instruction;
and the Windows service program starts the desktop agent program with the system management authority.
3. The method for promoting non-administrator account permissions according to claim 2, wherein the step of the Windows service program starting the desktop agent program with system management permissions is:
calling a function for acquiring a current HANDLE to acquire the HANDLE of the current service process;
determining a system management authority token of the service process according to the handle and the process access token function;
calling a token copying function to create a new token to copy the system management authority token of the service process;
calling a session ID acquisition function to acquire a session ID of a user desktop process;
and calling a process creation function and creating a desktop agent process with system management authority according to the HANDLE HANDLE, the system management authority token and the session ID.
4. The method of claim 1, wherein the program white list is constructed by:
acquiring an executable file of a trusted installation program or an application program;
calculating the installation programs or the executable files according to a front-end encryption algorithm to determine a first hash value corresponding to each installation program or each executable file;
and storing each first hash value as a program white list.
5. The method of claim 4, wherein the step of the desktop agent matching the to-be-run process information to a program white list comprises:
acquiring the information of the travel to be transported;
calculating a second hash value corresponding to the to-be-transported travel information according to the to-be-transported travel information and a hash function;
and matching the second hash value of the information of the to-be-transported process with the first hash value in the program white list.
6. The method for promoting non-administrator account privileges of claim 1, further comprising, after running the desktop agent with system management privileges:
filtering out the to-be-run process which is started by the desktop agent program and has system management authority;
storing the behavior information of the process to be run as behavior log information;
sending the behavior log information to the desktop agent program;
and the desktop agent program uploads the behavior log information to a server for storage.
7. The method of promoting non-administrator account permissions according to claim 6 and wherein said behavior log information includes process PID, process name, hostname, process behavior and creation time.
8. An apparatus for promoting non-administrator account privileges, comprising:
the execution module runs the desktop agent program with the system management authority;
the information acquisition module is used for acquiring the information of the to-be-transported process by the desktop agent program;
the control module is used for matching the information of the progress to be transported with a program white list by the desktop agent program; if the matching is successful, the desktop agent program creates a process to be operated; and if the matching fails, re-executing the step of operating the desktop agent program with the system management authority.
9. An apparatus comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor when executing the computer program implements a method of elevating non-administrator account permissions according to any of claims 1 to 7.
10. A storage medium storing a computer program, wherein the computer program, when executed by a processor, implements a method of promoting non-administrator account privileges according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210400321.5A CN114861160A (en) | 2022-04-16 | 2022-04-16 | Method, device, equipment and storage medium for improving non-administrator account authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210400321.5A CN114861160A (en) | 2022-04-16 | 2022-04-16 | Method, device, equipment and storage medium for improving non-administrator account authority |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114861160A true CN114861160A (en) | 2022-08-05 |
Family
ID=82631227
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210400321.5A Pending CN114861160A (en) | 2022-04-16 | 2022-04-16 | Method, device, equipment and storage medium for improving non-administrator account authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114861160A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116432209A (en) * | 2023-06-08 | 2023-07-14 | 亿咖通(湖北)技术有限公司 | Program running authority processing method, device, equipment and storage medium |
-
2022
- 2022-04-16 CN CN202210400321.5A patent/CN114861160A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116432209A (en) * | 2023-06-08 | 2023-07-14 | 亿咖通(湖北)技术有限公司 | Program running authority processing method, device, equipment and storage medium |
| CN116432209B (en) * | 2023-06-08 | 2023-08-15 | 亿咖通(湖北)技术有限公司 | Program running authority processing method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8806494B2 (en) | Managed control of processes including privilege escalation | |
| US9501628B2 (en) | Generating a distrubition package having an access control execution program for implementing an access control mechanism and loading unit for a client | |
| US8650578B1 (en) | System and method for intercepting process creation events | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| US10078754B1 (en) | Volume cryptographic key management | |
| US9571499B2 (en) | Apparatus and method of providing security to cloud data to prevent unauthorized access | |
| US8646044B2 (en) | Mandatory integrity control | |
| CN111695156A (en) | Service platform access method, device, equipment and storage medium | |
| CN110555293A (en) | Method, apparatus, electronic device and computer readable medium for protecting data | |
| US11244040B2 (en) | Enforcement of password uniqueness | |
| US20070079364A1 (en) | Directory-secured packages for authentication of software installation | |
| US7203697B2 (en) | Fine-grained authorization using mbeans | |
| US8850563B2 (en) | Portable computer accounts | |
| CN111177703B (en) | Method and device for determining data integrity of operating system | |
| CN110543775B (en) | Data security protection method and system based on super-fusion concept | |
| KR101977428B1 (en) | Content handling for applications | |
| CN114861160A (en) | Method, device, equipment and storage medium for improving non-administrator account authority | |
| CN113467895A (en) | Docker operation method, device, server and storage medium | |
| CN115292096A (en) | Backup data protection system, method, device and storage medium | |
| US8150984B2 (en) | Enhanced data security through file access control of processes in a data processing system | |
| JP2002304231A (en) | Computer system | |
| CN116415240A (en) | Lexovirus detection method and related system | |
| CN114070856A (en) | Data processing method, device and system, operation and maintenance auditing equipment and storage medium | |
| JP4371995B2 (en) | Shared file access control method, system, server device, and program | |
| CN109150863B (en) | Desktop cloud access control method and device and desktop cloud terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |